The European Data Protection Board (EDPB) has launched a public consultation on its newly adopted Guidelines 02/2024 on Article 48 GDPR, inviting stakeholders to submit comments by January 27, 2025. These guidelines, unveiled on December 2, 2024, aim to clarify the application of Article 48 of the GDPR, which addresses international requests for personal data transfers and disclosures.
Article 48 of the GDPR underscores the importance of protecting European data sovereignty. It stipulates that any judgment or decision by a non-EU court or authority requiring data transfers can only be recognized or enforced if based on an international agreement, such as a mutual legal assistance treaty, or if it complies with other GDPR provisions.
The guidelines explain how controllers and processors within the European Union should handle such requests. They emphasize the dual requirement for compliance: adherence to Article 6 (legal grounds for processing) and to Chapter V of the GDPR, which governs international data transfers. The EDPB provides detailed recommendations to ensure data protection principles are upheld when responding to third-country requests.
The guidelines focus on situations where third-country authorities directly request data from EU-based private entities. This is increasingly relevant as global entities seek access to EU data for regulatory, security, or investigative purposes. The guidelines also highlight the importance of compliance with other applicable legal frameworks, such as national procedural laws.
The EDPB reiterates that Article 48 aims to safeguard personal data from the extraterritorial application of non-EU laws that may conflict with GDPR protections. By requiring a legal basis for processing and a compliant transfer mechanism, the article ensures that international data requests do not undermine EU citizens’ privacy rights.
The guidelines outline scenarios and best practices for data controllers and processors to navigate requests from third-country authorities:
- International Agreements: Recognizing international agreements as a basis for compliance under Article 6(1)(c) or 6(1)(e) GDPR and as grounds for transfer under Chapter V
- Alternative Grounds for Transfers: In the absence of such agreements, controllers must explore other legal bases, including the use of specific derogations under Article 49 GDPR.
- Balancing Tests and Safeguards: The guidelines encourage thorough assessments to ensure that data transfers are justified and that data subject rights are respected.
Stakeholders, including organizations, research bodies, and industry groups, are encouraged to review the guidelines and provide feedback. Comments can be submitted via the EDPB’s online form. Contributors should note that their submissions may be published on the EDPB website following a screening process to prevent spam and unauthorized content.
For more information, the guidelines and submission form are available on the EDPB’s official website.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
